Insider security threats could be on the rise

The U.S. Government released a cybersecurity legislative proposal for Congress to consider in light of the increased need for critical infrastructure security. The proposal features the following main points:

  • National Data Breach Reporting
  • Penalties for Computer Criminals
  • Voluntary Government Assistance to Industry, States, and Local Government. Organizations that suffer a cyber intrusion
  • Voluntary Information Sharing with Industry, States, and Local Government
  • Critical Infrastructure Cybersecurity Plans
  • Update the Federal Information Security Management Act (FISMA) and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks
  • The recruitment and retention of highly-qualified cybersecurity professionals
  • Intrusion Prevention Systems
  • Cloud computing
  • A new framework of privacy and civil liberties protection designed expressly to address the challenges of cybersecurity

While laudable and the right thing to do, some critics say the White House cybersecurity proposal could actually make networks more vulnerable by opening them to new insider threats.

Under the proposal, covered companies would be responsible for mitigating threats, but third-party inspectors would assess their control over those risks regularly.

“The single largest vulnerability of our cyber systems comes not from hackers using technology to break into systems, but from insiders with approved access to the systems,” Larry Clinton, president of the Internet Security Alliance, which represents industries with a stake in online security, told House members at a Homeland Security Cybersecurity, Infrastructure Protection and Security Technologies subcommittee hearing. “This proposal creates a virtual army of insiders crawling through our most critical infrastructure’s security systems on an annual basis.”

Clinton suggested replacing audits with cyber insurance that would provide businesses an economic incentive to heighten protections on their own. Committee members seemed to agree with the concept.

“The best way to do it is to make the system so that the organizations want to invest in security, so that they see it in their own self interest,” Clinton added. “My daughter drives more carefully because she wants a good driver discount,” he said in providing an example of the financial incentive companies would have to practice good cyber hygiene.

The White House proposal includes several financial bonuses and economic punishments but does not address insurance. Companies that fail their annual security tests would be named publicly, which could damage their brands or upset investors, administration officials said recently. Also, firms that perform well might be eligible for more government business.

It is an interesting concept, providing financial incentives for companies to do what is in their best interests. Yet what we have learned from the food industry and other industries where government inspections are mandated, is  human nature is often complacent, seeks to cut corners, seeks to save money, and to gain an advantage even at the expense of others. Which has resulted in the need for government oversight in critical areas such as auto inspections – which may be a great model for this proposal.

Therefore I think there will be a middle ground, where there are incentives for companies to do the right thing in terms of bolstering security, yet the availability of outside security firms to test and upgrade cyber defenses.